The Impact Advisor 1Q19

The Impact Advisor 1Q19

The Impact Advisor - Impact Advisors' Quarterly eNewsletter

The Impact Advisor is a digital newsletter focused on healthcare IT news topics, trends, and disruptors. We’re committed to delivering value through this quarterly publication. Please engage with us (by subscribing), so we may continue to share our insights and lessons learned with you. 


View Back Issues

February 4, 2019


A new “research letter” in JAMA based on analysis of de-identified claims from a “large commercial health plan” found that, while telemedicine is growing rapidly, it remains relatively uncommon.  Despite the spike in growth (particularly in primary care telemedicine visits), the authors note their findings suggest that telemedicine is still not a “huge phenomenon.”  In fact, only 7 out of every 1,000 people in the studied population had a telemedicine visit in 2017.

Total Telemedicine Visits

(Note: based on de-identified claims from a “large commercial health plan”)

Total Telemedicine Visits - JAMA

Source: JAMA, 11/27/18

Why It Matters:

Telemedicine has taken on added importance amid growing pressure from non-traditional competitors (retail clinics, etc.) – many of which are aggressively investing in telemedicine themselves.  On one hand, telemedicine represents a way to help traditional provider organizations compete directly with these new entrants on convenience and access.  On the other hand, telemedicine can also be a way for health delivery organizations to differentiate themselves from many of the non-traditional competitors that have emerged.  One of the biggest advantages that providers have over retail clinics, independent urgent care centers, and even onsite employer clinics is the patient-provider relationshipA robust telemedicine program – if designed, implemented, and marketed the right way – can create an even deeper connection with patients, effectively enabling health systems to build on one of their strengths. If done poorly, it could remain in the category of things patients avoid, like infections.


According to a recent article in Modern Healthcare, health systems are starting to take consumer research more seriously in an effort to “enhance patient satisfaction and establish brand loyalty.”  However, “the providers making substantial investments in [consumer] research – usually through their own internal research arms – are still few and far between.”  Modern Healthcare reports that one of the biggest challenges is convincing executives and the board about the value proposition of investing in consumer research initiatives.

Patient Satisfaction - MH

Image source: Modern Healthcare, 10/27/18

Why It Matters:

This is a perfect example of an area where healthcare organizations can learn a lot from other service industries.  Leading companies in hospitality, travel, and retail are constantly collecting input and feedback at every point in the consumer’s journey; most have also invested heavily in analytics tools to understand their customer base and create a deeply personalized digital experienceIn healthcare, there is a lot of talk about the need to “transform” the patient experience – but the reality is many hospitals and health systems still lack a solid understanding of what that experience actually looks like from the consumer’s perspective.


A recent survey of 190 hospital and health system executives from Kaufman Hall looks at providers’ internal cost reduction efforts.  According to the report, in addition to “lack of reliable data, and lack of tools to identify and monitor cost improvement efforts,” one of the biggest challenges for hospitals and health systems is “lack of accountability for goal setting and achievement.”  For example, almost one-third of respondents said their organization has no five-year cost reduction goal in place at all.  Additionally, 57% of respondents said their organization “sets cost-reduction targets solely at the enterprise level, not at the vice president, service line, or department level.”

Five-Year Cost-Reduction Goals

Cost Reduction Goals - KH

Source: “State of Cost Transformation in U.S. Hospitals and Health Systems,” Kaufman Hall, 10/16/18

Why It Matters:

The pressure on hospitals and health systems to reduce organizational costs is not going away any time soon.  Putting the right processes in place and establishing cost-reduction targets at the service line and/or department level are obviously important (albeit early) steps.  The next phase will be enabling the organization to drive cultural change by engaging key, cross-functional operational stakeholders, and not just from a clinical perspective, but from a business perspective as well.  These are service line leaders and department managers who understand specific cost reduction targets and who are also knowledgeable about the factors that impact performance on those key business metrics.  Realizing that level of cultural change will likely be more challenging for not-for-profit hospitals and health systems than for-profit provider organizations, but it will be an increasingly important competitive differentiator as time goes on.


A new paper in the American Heart Journal reveals that Stanford Medicine and Apple were able to enroll 419,093 participants in the Apple Heart Study in less than a year – making it the “the largest screening study on atrial fibrillation ever performed,” according to Wired.  While acknowledging the major potential benefits from a research perspective, Wired also points out the possible downside of such a large study, namely “misdiagnosis, unnecessary tests, [and] overtreatment.”

Apple Heart Study Enrollment per Week

Apple Study Enrollment


Why It Matters:

Enrolling almost 420,000 patients in a clinical study in less than a year is not only astonishing – it is borderline disruptive.  It is worth pointing out that the actual results of the study have yet to be published, so there are still unknowns about the ability of the Apple Watch to accurately detect heart irregularities on such a large scale.  We also don’t disagree with Wired about the potential for misdiagnosis, unnecessary tests, and overtreatment – those are absolutely issues that will need to be closely monitored.  The big takeaway is simply the fact that Apple and Stanford were able to enroll so many people in the study.  Not only does the staggering level of enrollment underscore the growing interest among patients to participate in research (and by extension engage in their health), it also highlights the power of partnerships between leading health delivery organizations and big tech firms.


An excellent 2018 report from KLAS looks at current challenges – and provider concerns – with the security of connected medical devices.  Interestingly, despite the wide number of challenges mentioned (many of which are not even fully under providers’ control), almost 40% of organizations said they are either “confident” or “very confident” that their medical device security strategy will “protect patient safety and/or prevent disruptions to patient care.”  Overall, almost one-fifth (18%) of responding provider organizations “have had medical devices impacted by malware or ransomware in the past 18 months.”

Patient Safety Pie Chart

Source: “Medical Device Security 2018,” KLAS Research

Why It Matters:

Medical device security is about more than just protecting PHI.  Current vulnerabilities also represent a genuine patient safety risk, with a nightmare scenario of hackers disabling or taking control of a bedside device connected to a patient.  There are a lot of factors involved when it comes to trying to secure a growing ecosystem of networked medical devices, and this report does an excellent job of highlighting the sheer complexity of the problem that providers are facing right now.  Given the size and scope of the challenge though, we are definitely a bit surprised that almost 40% of providers expressed confidence in their medical device security strategy.  We have no doubt that some leading organizations are starting to put the right processes, policies, and technology in place – but it will be critical that efforts keep moving forward.  Cyber threats are rapidly evolving – and providers have to ensure their medical device security strategies evolve just as quickly.


Q: Does your information security incident response process allow for you to examine who has you in their sight, what they’re after and how they plan to get their hands on it?

A: Information breaches not only affect IT but impact the entire organization. Cyber-criminals will continue to find success with the same tried and tested techniques, and their victims will continue to make the same mistakes. The Incident Response Process should be designed to provide guidance for appropriate response activities in the event of an information technology, system or cyber-security incident. The process of responding to Information Security Incidents can be broken into several major phases: Preparation, Detection, Response, and Recovery. In addition, communication responsibilities should be specified in detail. While conducting containment and eradication steps, retain evidence where possible.  Copies of malicious files, emails, logs and/or other artifacts should be retained if they will help with lessons learned analysis.  Where necessary, systems or hard drives may be retained for forensic analysis.

Why It Matters:

Most cyber-criminals are motivated by cash. If your organization does not strengthen its security procedures, there is a strong likelihood that the cyber-criminals will be able to steal payment card data, personally identifiable information, protected health information, or your intellectual property. The 2018 Data Breach Investigations Report (DBIR) from Verizon provides analysis into several 2018 data breaches. Some highlights include:

  • People are still falling for phishing campaigns.
  • Ransomware is the top variety of malicious software, found in 39% of cases where malware was identified.
  • Of the data breaches analyzed, the healthcare sector had most breaches and number of incidents.
  • “Healthcare is the only industry where the threat from inside is greater than that from outside. Human error is a major contributor to those stats. Employees are also abusing their access to systems or data, although in 13% of cases, it’s driven by fun or curiosity—for example, where a celebrity has recently been a patient.”
  • 68% of breaches took months or longer to discover.

Don’t wait to find out about a breach from law enforcement or a customer. Log files and change management systems can give you early warning of a security compromise. Make people your first line of defense. Limit access to the people who need it to do their jobs, and have processes in place to revoke it when they change roles. Patch promptly. Encrypt sensitive data. Use two-factor authentication. Phishing campaigns are still hugely effective. And employees make mistakes. Two-factor authentication can limit the damage that can be done if credentials are lost or stolen. Don’t forget physical security.

(Response provided by Shefali Mookencherry, Cybersecurity Expert at Impact Advisors)